Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "ScratchPad" page has been changed by jmcg:
http://wiki.apache.org/httpd/ScratchPad?action=diff&rev1=41&rev2=42
Comment:
trival replacements of weird characters.
Understanding Multi-Use Digital Certificates
Abstract
- With the proliferation of internal Web-based services that must be exposed to the Internet,
organizations are turning more and more to the use of SSL certificates. However, using traditional
SSL certificates can become cumbersome and quite expensive, especially when organizations
offer several Internet-facing services. This is where multi-use certificatescertificates
that can be reused for different purposescan help. Using a single multi-use certificate,
organizations can reduce costs and simplify certificate management.
+ With the proliferation of internal Web-based services that must be exposed to the Internet,
organizations are turning more and more to the use of SSL certificates. However, using traditional
SSL certificates can become cumbersome and quite expensive, especially when organizations
offer several Internet-facing services. This is where multi-use certificates -- certificates
that can be reused for different purposes -- can help. Using a single multi-use certificate,
organizations can reduce costs and simplify certificate management.
"'Introduction'"
- The best way to prove who you are on the Internet is to use a digital certificate. Thats
because a digital certificate relies on a trusted, third-party authority to verify your identity.
In fact, it uses a chain of trust that begins with you and works its way up to the trusted
authority that validates who you are. This chain of trust provides verifiable Internet security.
+ The best way to prove who you are on the Internet is to use a digital certificate. That's
because a digital certificate relies on a trusted, third-party authority to verify your identity.
In fact, it uses a chain of trust that begins with you and works its way up to the trusted
authority that validates who you are. This chain of trust provides verifiable Internet security.
Take Internet user Bill for example. Bill uses a digital certificate to sign all of his
emails. This example demonstrates the concept of authenticity. The certificate authenticates
Bill as the author of the email.
- The digital certificate also verifies that Bill is the actual author and sender of the email.
This is the concept of non-repudiationby using a certificate, you can certify with reasonable
certainty that the signed document is trusted to be from Bill or at least someone who possesses
the private key corresponding to the signing certificate.
+ The digital certificate also verifies that Bill is the actual author and sender of the email.
This is the concept of non-repudiation -- by using a certificate, you can certify with reasonable
certainty that the signed document is trusted to be from Bill or at least someone who possesses
the private key corresponding to the signing certificate.
In addition, because Bill signs his emails with a digital certificate, the email cannot
be tampered with without invalidating the signature. This is the concept of integrity. Because
the email includes a digital signature, it cannot be modified while in transit without the
tampering being obvious to the recipient.
- Two more security concepts are supported by digital certificates. Availability is critical
to the third-party organization that certifies that Bill is who he claims to be. The verification
service must be available when you need to verify Bills certificate. Finally, confidentiality
is provided by the ability to encrypt data both in the content itself and in the transport
mechanism that is used to send the data to a destination on the Internet.
+ Two more security concepts are supported by digital certificates. Availability is critical
to the third-party organization that certifies that Bill is who he claims to be. The verification
service must be available when you need to verify Bill's certificate. Finally, confidentiality
is provided by the ability to encrypt data both in the content itself and in the transport
mechanism that is used to send the data to a destination on the Internet.
- Similarly, organizations that process transactions on the Internet or that offer Internet-based
services need to rely on digital certificates to validate that they are who they claim to
be; otherwise, no one will trust their services. Most organizations do this by adding certificates
to their Internet-facing servers. When users access a web page hosted on one of these servers,
their Web browser will automatically detect the certificate and modify the session, from an
open session using the HyperText Transfer Protocol (HTTP) to secure HTTP (HTTPS). This will
allow for the encryption of all the data sent between the users workstation and the server.
HTTPS data encryption is provided by the Secure Sockets Layer (SSL). Basically, SSL creates
an encryption tunnel between the client and the server protecting the transfer of data from
one point to the other during the communication exchange. You know you are using SSL when
your browser displays a closed padlock in its status bar.
+ Similarly, organizations that process transactions on the Internet or that offer Internet-based
services need to rely on digital certificates to validate that they are who they claim to
be; otherwise, no one will trust their services. Most organizations do this by adding certificates
to their Internet-facing servers. When users access a web page hosted on one of these servers,
their Web browser will automatically detect the certificate and modify the session, from an
open session using the HyperText Transfer Protocol (HTTP) to secure HTTP (HTTPS). This will
allow for the encryption of all the data sent between the user's workstation and the server.
HTTPS data encryption is provided by the Secure Sockets Layer (SSL). Basically, SSL creates
an encryption tunnel between the client and the server protecting the transfer of data from
one point to the other during the communication exchange. You know you are using SSL when
your browser displays a closed padlock in its status bar.
"'Working with SSL Certificates'"
- In order to enable SSL on their external-facing servers, organizations must purchase a certificate
from a trusted certification authority for each protected service they provide. Today, organizations
can offer several services to their end usersemail, instant messaging, mobile device management,
Web-based interactions and moreand each one of the servers providing these services requires
its own certificate.
+ In order to enable SSL on their external-facing servers, organizations must purchase a certificate
from a trusted certification authority for each protected service they provide. Today, organizations
can offer several services to their end users -- email, instant messaging, mobile device management,
Web-based interactions and more -- and each one of the servers providing these services requires
its own certificate.
SSL certificates are tied to the unique domain name on which a service is hosted. Embedding
the domain name into the certificate is important since this makes it possible to ensure the
identity of the remote computer providing the service by comparing the domain name being accessed
to the domain name included in the certificate itself.
Certificates are issued for a finite period, usually in 12-month increments. Because of
this, you should aim to obtain certificates that are valid for extended periods of time. You
should also aim to select static service names because each time a service name changes, the
certificate must be changed on each server that provides the service. These strategies will
reduce the workload associated with periodic renewal and installation of certificates on your
servers.
- These problems are compounded when organizations must use different domain names for each
secure service they make available on the Internet. In fact, organizations often find themselves
in a situation where they need to use sub-domain namesnames that use the same root name,
but require a different prefix nameto secure each of the services they offer. Because prefix
names are embedded into SSL certificates, organizations usually buy one certificate per service.
As you can imagine, this can become expensive and time-consuming to manage, especially in
organizations that run a multitude of Internet-facing services.
+ These problems are compounded when organizations must use different domain names for each
secure service they make available on the Internet. In fact, organizations often find themselves
in a situation where they need to use sub-domain names -- names that use the same root name,
but require a different prefix name -- to secure each of the services they offer. Because
prefix names are embedded into SSL certificates, organizations usually buy one certificate
per service. As you can imagine, this can become expensive and time-consuming to manage, especially
in organizations that run a multitude of Internet-facing services.
Enter the multi-use SSL certificate. There are two types of multi-use certificates:
Wildcard certificates can secure multiple sub-domains on a single unique Fully Qualified
Domain Name using a single certificate.
Multi-domain certificates can secure multiple Fully Qualified Domain Names using a single
certificate.
Each certificate can simplify management and reduce costs given the right situation.
"'Wildcard Certificates'"
- The first type of multi-use certificate is the wildcard certificate. The name you embed
in a certificate must always follow the fully-qualified domain name (FQDN) format. If you
want a certificate for the Session Initiation Protocol (SIP) used by instant communication
servers in the VirtualSpaceShip.com domain, the name embedded into the certificate will be
SIP.VirtualSpaceShip.com. If you want a certificate for the email service, then you would
normally have to buy a second certificate with the second service namemail.VirtualSpaceShip.comembedded
into it.
+ The first type of multi-use certificate is the wildcard certificate. The name you embed
in a certificate must always follow the fully-qualified domain name (FQDN) format. If you
want a certificate for the Session Initiation Protocol (SIP) used by instant communication
servers in the VirtualSpaceShip.com domain, the name embedded into the certificate will be
SIP.VirtualSpaceShip.com. If you want a certificate for the email service, then you would
normally have to buy a second certificate with the second service name -- mail.VirtualSpaceShip.com
-- embedded into it.
In addition, some secure service implementations require internal as well as external validation
and you use a different name for each; for example, InternalSip.VirtualSpaceShip.com and
ExternalSIP.VirtualSpaceShip.com. In this case, you must have a certificate on each server
in the internal and external service to allow users to work unimpeded whether they are in
the office or on the road. This is the case for instant messaging infrastructures where you
want to ensure messages are encrypted whether they are internal or external. Note that servers
cannot include two certificates for the same purpose.
Wildcard certificates do not include service names. Instead, they are standard certificates
that support the use of a wildcard character to replace the prefix name in the subject name
field, for example, *.VirtualSpaceShip.com. Using a wildcard certificate is much more practical
and versatile than using multiple single purpose certificate since the wildcard certificate
can be applied to a number of different services without requiring any updates. In addition,
you can add, change or replace services without needing to update the certificate.
@@ -39, +39 @@
Multi-domain certificates include the standard Subject Name field which supports a single
primary service name, as well as an additional entry called the Subject Alternative Name field
which supports the additional service names. The SAN certificate can therefore be installed
on several servers and function properly to support internal/external service delivery.
SAN certificates have the same issues as single-purpose certificates however. Because the
actual service names are embedded into the certificate, you must make sure your services always
use the same name otherwise you must change the certificate and since the certificate is a
multi-use certificate, you must change it on each of the computers that host the service which
the certificate supports. Additionally, when you want to add services to provide further functionality
to your users, you must update the SAN certificate with the new service names.
- Multi-domain, SAN, or UCC certificates are useful when organizations require different root
domain names to run Internet-facing services. Subject alternate name certificates are also
called Unified Communications Certificates (UCC) since they were primarily designed to support
real-time communications infrastructures. For example, an organization providing both internal
and external unified communications services with two different domain namesfor example,
SIP.VirtualSpaceShip.com the external domain and SIP.VirtualSpaceShip.com for the internal
namewould benefit from a multi-domain certificate because in this case, the wildcard certificate
would not work. In fact, if the organization was using wildcard certificates, two wildcard
certificates would be required because the root domain name is different in each case.
+ Multi-domain, SAN, or UCC certificates are useful when organizations require different root
domain names to run Internet-facing services. Subject alternate name certificates are also
called Unified Communications Certificates (UCC) since they were primarily designed to support
real-time communications infrastructures. For example, an organization providing both internal
and external unified communications services with two different domain names -- for example,
SIP.VirtualSpaceShip.com the external domain and SIP.VirtualSpaceShip.com for the internal
name -- would benefit from a multi-domain certificate because in this case, the wildcard certificate
would not work. In fact, if the organization was using wildcard certificates, two wildcard
certificates would be required because the root domain name is different in each case.
A single multi-domain certificate could easily support the following names and more: www.VirtualSpaceShip.com,
www.VirtualSpaceShip.ws, www.VirtualCDVD.com, www.VirtualWorkersInSpace.com
- Multi-domain certificates are also useful for application service providers (ASP) who host
applications for multiple clients with each client using their own domain name. By using a
multi-domain certificate, ASPs can use a single certificate to support multiple clients. Note
that the site seal and certificate Issued To will only be for the primary domain name
entered in the certificate and will not include any of the other domain names. However, the
certificate itself will include all of the domain names that have been entered when the certificate
was purchased.
+ Multi-domain certificates are also useful for application service providers (ASP) who host
applications for multiple clients with each client using their own domain name. By using a
multi-domain certificate, ASPs can use a single certificate to support multiple clients. Note
that the site seal and certificate "Issued To" will only be for the primary domain name entered
in the certificate and will not include any of the other domain names. However, the certificate
itself will include all of the domain names that have been entered when the certificate was
purchased.
While multi-domain certificates are also useful when used to support unified communications
deployments, there are some caveats for their use:
- Multi-domain certificates do not support use of wildcard characters. For this reason,
sub-domain names must be added as a unique domain name entries in the certificate. Each time
a new domain name is added or an old one is removed the certificate must be updated and re-deployed
to each host server.
@@ -56, +56 @@
Both certificate types offer several benefits and include several features. In addition,
both are available in full authentication format only. Domain-only authentication certificates
only require the validation of the domain before they are issued, and because of this, cannot
be used with multi-use certificates. Full authentication certificates require both the validation
of the domain itself and the validation of the business running the domain. Because of this,
full certificates are more trustworthy than domain-only certificates. This is another reason
the full authentication model is used for multi-use certificates. Keep this in mind as you
make your choice.
"'Making the Selection'"
- Multi-use certificates were developed to provide multiple secure services originating from
a single IP address. To accomplish this, these certificates either add a subject alternate
name (SAN) field to the common single-use certificate or use a wildcard to replace the service
name in the certificate. Microsoft Exchange Server 2007 is an excellent example of this type
of requirement. The same external Exchange server can publish several different types of services:
Outlook Web Access, Outlook Anywhere Access, AutoDiscovery configuration information, and
more. Each of these services requires the publishing of its own namefor example, OWA.VirtualSpaceShip.com,
Mail.VirtualSpaceShip.com, Autodiscover.VirtualSpaceShip.com ideally within a single certificate.
+ Multi-use certificates were developed to provide multiple secure services originating from
a single IP address. To accomplish this, these certificates either add a subject alternate
name (SAN) field to the common single-use certificate or use a wildcard to replace the service
name in the certificate. Microsoft Exchange Server 2007 is an excellent example of this type
of requirement. The same external Exchange server can publish several different types of services:
Outlook Web Access, Outlook Anywhere Access, AutoDiscovery configuration information, and
more. Each of these services requires the publishing of its own name -- for example, OWA.VirtualSpaceShip.com,
Mail.VirtualSpaceShip.com, Autodiscover.VirtualSpaceShip.com -- ideally within a single certificate.
Multi-use certificates reduce cost and simplify management by supporting the inclusion of
multiple names within the same certificate or the replacement of service names with a wildcard.
However, each multi-use certificate type should only be used in specific situations:
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org